International Association for Cryptologic Research

International Association
for Cryptologic Research


Cryptographic Pseudorandom Generators Can Make Cryptosystems Problematic

Koji Nuida
DOI: 10.1007/978-3-030-75248-4_16
Search ePrint
Search Google
Presentation: Slides
Abstract: Randomness is an essential resource for cryptography. For practical randomness generation, the security notion of pseudorandom generators (PRGs) intends to automatically preserve (computational) security of cryptosystems when used in implementation. Nevertheless, some opposite case such as in computational randomness extractors (Barak et al., CRYPTO 2011) is known (but not yet systematically studied so far) where the security can be lost even by applying secure PRGs. The present paper aims at pushing ahead the observation and understanding about such a phenomenon; we reveal such situations at layers of primitives and protocols as well, not just of building blocks like randomness extractors. We present three typical types of such cases: (1) adversaries can legally see the seed of the PRGs (including the case of randomness extractors); (2) the set of "bad" randomness may be not efficiently recognizable; (3) the formulation of a desired property implicitly involves non-uniform distinguishers for PRGs. We point out that the semi-honest security of multiparty computation also belongs to Type 1, while the correctness with negligible decryption error probability for public key encryption belongs to Types 2 and 3. We construct examples for each type where a secure PRG (against uniform distinguishers only, for Type 3) does not preserve the security/correctness of the original scheme; and discuss some countermeasures to avoid such an issue.
Video from PKC 2021
  title={Cryptographic Pseudorandom Generators Can Make Cryptosystems Problematic},
  booktitle={Public-Key Cryptography - PKC 2021},
  author={Koji Nuida},